On 04/18/2014 01:58 AM, Lucio Crusca wrote:> Hello all,
>
> I need to setup a virtual subnet to create a test AD domain (server +
> clients): guests need to talk to each other, they need to reach the
internet
> through a virtual router with nat (virbr0?), broadcasts must not reach the
> host nor the physical network (because of conflicts with the existing real
AD
> domain) and libvirt must NOT offer a dhcp service inside the virtual
subnet.
>
> What kind of networking model should I look at?
The only part about this that seems odd is the requirement that the
*host* not receive broadcast packets from the guests. Without this, the
guests would not be able to reach the host (because ARP wouldn't work,
and host would necessarily be the next-hop for IP routing), and
therefore wouldn't be able to reach anything outside the virtual subnet.
Aside from this restriction, you are exactly describing libvirt's
"default" network (with the <dhcp> section removed).
If there is just one kind of broadcast traffic that shouldn't reach the
host from the guests, then you could create a network hook script to do
add an iptables rule that does the requested blocking when the network
is started (and removes it when the network is stopped) - see
http://libvirt.org/hooks.html (note that network hook scripts are only
available since libvirt 1.2.2, which is very new, so you may instead
need to just add it somewhere in the host's own config).
Alternately, if you want a guest network that isn't directly connected
to the host, you could handle it in the following manner:
1) create a *completely empty* libvirt network - no IP address and no
<forward>:
<network>
<name>pure-virtual</name>
</name>
(define this network, set it to autostart, and start it using virsh).
2) Create a virtual guest that has two network interfaces - a "public"
interface that connects to libvirt's default network, and a
"private"
interface that connects to the new network named "pure-virtual". This
guest will act as a router between the pure-virtual network and the host
(and rest of the internet).
3) setup whatever services (dhcp, dns, etc) you like on the guest you
created in (2)
4) when you create your test guests, connect their network interfaces to
the "pure-virtual" network, *not* the default network.
The router guest that you created in (2) will not need to perform NAT,
as that is already being done by the host as the traffic egresses from
the public side of the router guest (although it will probably still
work for most things even if you do have double-NAT. And I guess if you
want to guarantee that the host cannot initiate contact with any of the
test guests, you actually may want to have NAT on the router guest as well).